When site reliability engineer David Barksdale was fired from his job at Google for allegedly using his position to cyberstalk teens with Google Talk accounts, it sent a shiver across the Internet. The idea that a creepy geek working for one of the world’s biggest technology companies could use his combination of technical acumen and privileged access to spy on young citizens seemed to raise the worst kind of privacy fears. More than learning information carelessly or ignorantly posted online, Barksdale’s supposed deeds evoked darker images, the sort from which Chris Hansen has made a comfortable living capturing on video. As part of his job, Barksdale had the keys to the digital kingdom and could pry into the profiles and accounts of individuals who trusted Google and used the company’s services to communicate with others in what they believed to be security and confidentiality.
Anyone following the story had a right to be outraged. The teens Barksdale may have spied on could have been my kid, or yours. And the incident raised broader questions about the nature of information security in the digital age. How much privacy do we have? Who really has access to the information we share with our trusted vendors? What are the risks of taking advantage of the many tools available to anyone on the Internet?
These questions are legitimate, but they aren’t new. The fact that Barksdale worked for one of the biggest brands on the Internet magnified the attention the story received, but the underlying issue of trust and betrayal means the questions now being asked should have been asked all along.
Consider some other recent headlines that involved individuals taking advantage of privileged access to information for less than honorable reasons:
- UCLA Medical Center administrative assistant Lawanda Jackson used her position to snoop the medical files of the hospital’s patients on behalf of the National Enquirer. Among the records Jackson accessed were those belonging to celebrities like Farrah Fawcett and Britney Spears.
- Jackson Memorial Hospital (Miami) ultrasound technician Rebecca Garcia was paid $1000 a month to steal and provide medical records for injuries due to auto accidents, slips-and-falls, to Rueben E. Rodriguez, who would then sell the information to lawyers as leads for personal injury, negligence, and similar lawsuits.
- A similar data theft scheme affected patients University Medical Center in Las Vegas, Nevada. UMC employees informed hospital officials that patient files were being accessed and sold to personal injury lawyers. When CEO Kathy Silver learned files were being stolen and sold she looked into the situation but then dismissed it as a “nonissue” according to reports. An investigation is ongoing.
Each of these cases (and many more besides) involved an individual with privileged access to sensitive personal information betraying the trust imputed to them to do their job. We can’t escape the fact that nearly every facet of our lives involves the granting of some level of trust to others. Our employment, personal relationships, religious affiliations, health care, financial management and other personal and professional associations require that we share certain information that we might otherwise choose to keep to ourselves. The stronger the relationship and the more trust we grant, the more information we share.
We tend not to think about this much in our day-to-day affairs. Even when a story like the one involving Google breaks and catches our attention it’s easy to dismiss the possible personal implications. I’m more vigilant. I don’t have a Google Talk account. Those things happen to other people. Taken out of the digital realm it’s not a stretch to compare the potential consequences of Barksdale’s teen stalking to the actual consequences of betrayals that have been happening for years in schools, clubs, churches, and other organizations where children congregate. And adults are far from immune; the fact is we are all vulnerable to social engineering.
To focus on Google (or, less specifically, the Internet) as the bad actor in this story is to miss the bigger picture: online or offline life involves risk, and the best way to mitigate risk is through informed engagement. Trust is integral to that engagement and, unfortunately all too often, so is betrayal.
Mike Spinney is a senior privacy analyst with privacy research and consulting firm Ponemon Institute. For more information about or to contact the Ponemon Institute, visit www.ponemon.org.